Gone Phishing

Although this isn’t strictly a web development topic, it’s at least an interesting quirk about the way domains work that many may not know — we certainly didn’t till today, so it’s probably worth bringing to attention.

Today I received another eBay phishing scam. This is nothing new in itself — like most people I’ve received dozens over the last year — but this one was a little different. Generally the URLs embedded in phishing emails are quite obviously dodgy as they clearly begin with an IP number. However, as you can see above, the URL looked more reasonable than most.

I’m listing the real IPs here for reference but I’ve disabled the links as they are obviously controlled by shady characters, so we don’t recommend you visit them.

To my surprise the ‘http://3281702273′ part was a viable IP.

Now I’d personally never seen anything like this before, but as I’m no DNS expert so that’s no big deal there. However after tossing the URL around the office I found no-one else seemed to have seen anything similar either.

Kevin did a little trial and error and figured out how it works. The number ‘3281702273’ is a decimal conversion of a hex number — ‘c39acd81’ (try it here) — which, in turn, can be translated to an IP address.
c3 = 195
9a = 154
cd = 205
81 = 129

So in theory ‘http://3281702273′ and ‘http://195.154.205.129′ are the same thing.

Interestingly, IE7 seems to do a better job than Firefox or IE6 with these obscured IP addresses, by automatically converting them to normal IP before sending them. The page renders fine but the URL displays the standard IP.

No doubt most sysadmins are snoring at point in the post by now, but I suspect plenty of relatively tech savvy people (and their friends and family) might be more susceptible to the subtleties of this scam than most others.

Hopefully a few less now anyway.

It’s nice to see that since this morning Firefox is clearly reporting the URL as a ‘Suspected Web Forgery’. Hooray for Web services.